This weekly-updated image is intended to be text-only recovery toolchest with some basic forensic capabilities.

+

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:

+

* Compressed SuperFetch DB - MEM file format; Windows Vista and 7

+

* Compressed SuperFetch DB - MAM file format; Windows 8

−

It will not activate MDRAID/LVM when booted with "forensic" keyword (available via a separate isolinux boot target) and will not try to use swaps or autodetect/mount filesystems unless requested explicitly; <tt>mount-system</tt> script will use <tt>ro,loop</tt> mount options when booted in this mode.

+

=== Compressed SuperFetch DB - MEM file format ===

+

The MEM file consists of:

+

* file header

+

* compressed blocks

−

Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.

Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.

+

==== Compressed blocks ====

+

The file header is followed by compressed blocks:

+

{| class="wikitable"

+

|-

+

! Offset

+

! Size

+

! Value

+

! Description

+

|-

+

| 0

+

| 4

+

|

+

| Compressed data size

+

|-

+

| 4

+

| ...

+

|

+

| Compressed data

+

|-

+

|}

−

== Platforms ==

+

=== Compressed SuperFetch DB - MAM file format ===

+

On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.

−

i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.